Google Git
Sign in
go/website/refs/heads/master^!/.
commit
7dabcc9d3ce3c285c887707de9dbf736af67c36e
[log]
author
Roland Shoemaker <roland@golang.org>
Fri Apr 24 13:20:34 2026 -0700
committer
Gopher Robot <gobot@golang.org>
Fri Apr 24 14:23:05 2026 -0700
tree
942fd5693e8ec4b48d247ed4ce670322e8b0094d
parent
3dd30ce5f5b485d65c8fb99198ce57122a0fd95f [diff]
_content/doc/security: add threat model section about env

Change-Id: I2285b4828d0abad39b3eeae54bd4291f957aa1b7
Reviewed-on: https://go-review.googlesource.com/c/website/+/770600
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/_content/doc/security/threat-model.md b/_content/doc/security/threat-model.md
index 1664ad3..9daa339 100644
--- a/_content/doc/security/threat-model.md
+++ b/_content/doc/security/threat-model.md

@@ -37,6 +37,13 @@
 Passing garbage to an API resulting in unexpected output is not considered a
 security issue.
 
+#### Environment Control
+
+It is assumed that the local system is safe. Attacks which rely on the OS already
+being compromised are not considered relevant. For instance we do not consider
+attacker control over the filesystem, environment variables, such as PATH, or
+memory access or control to be part of our model.
+
 ### Packages With Their Own Models
 
 * [encoding/json](/pkg/encoding/json/#hdr-Security_Considerations)